Hi,

I found a buffer overflow ​ ​ in console_clear() which result in a system reset in my case.

F ​u​ nction console_clear_line() uses ">> 2" when calling memsetl. ​Function console_scrollup() ​ ​ uses ">> 2" ​​ when calling memcpyl. Function ​​ video_clear() ​uses "/ size(int)" ​ ​ when calling memsetl ​ .

​">> 2" could be replace by "/ size(int)" as in ​ ​ video_clear(). I used ">> 2" strictly because console functions are written that way.

​CONSOLE_SIZE is expressed in byte(X * Y * bytes per pixel) and memsetl uses int(4 bytes) as copy size. In n ​ console_clear(), this result in writing 4 times the buffer size.

Best regards Frédéric Nadeau

diff --git a/drivers/video/cfb_console.c b/drivers/video/cfb_console.c index a81affa..620935e 100644 --- a/drivers/video/cfb_console.c +++ b/drivers/video/cfb_console.c @@ -798,7 +798,7 @@ static void ​​ ​​ console_clear(void) bgx /* fill color */ ); #else - memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE, bgx); + memsetl(CONSOLE_ROW_FIRST, CONSOLE_SIZE ​>> 2​ , bgx); #endif }